Siebel CRM Siebel Security Guide Siebel Innovation Pack 2017, Rev. A E24814-01 |
|
![]() Previous |
![]() Next |
View PDF |
Table A-1 lists the parameters in the Security Profile that relate to database, LDAP, or custom authentication. You set these parameters when configuring a security profile to use a database, LDAP, or custom security adapter. You define these parameters in the Data Sources section and Basic Information section under Security Profiles in the Siebel Management Console.
You can define database authentication parameters for the following named subsystems:
InfraSecAdpt_DB. That is, for the DBSecAdpt named subsystem or a similar security adapter with a nondefault name.
InfraDataSource. That is, for the ServerDataSrc named subsystem or another data source.
Note: Database authentication is supported for development environments only, it is not supported for production environments. |
You can define LDAP authentication parameters for the following named subsystems:
InfraSecAdpt_LDAP. That is, for the LDAPSecAdpt named subsystem or a similar security adapter with a nondefault name.
You can define custom authentication parameters for the following named subsystems:
InfraSecAdpt_Custom. That is, for the CustSecAdpt named subsystem or a similar security adapter with a nondefault name.
The named subsystem is specified as the value for the data source Security Adapter Name parameter for the database, LDAP, or custom security adapter.
Table A-1 Security Adapter Authentication Parameters
Parameter | Section Under Security Profiles | Comment or Description |
---|---|---|
Name |
Data Sources |
Specify the name of the data source. |
Type |
Data Sources |
Specify the type or mode of authentication you are using. The options are:
If you implement a custom, non-Siebel security adapter, then you must configure your adapter to interpret the parameters used by the Siebel adapters if you want to use those parameters. |
Data Sources |
Specify the host name for the data source, such as the host name of the database server for database authentication. Note that you may have to include the IP address if the server is configured to listen only with the IP address:
|
|
Port |
Data Sources |
Specify the port number for the source, such as the port number of the database server for database authentication. For example, specify:
|
Data Sources This option appears if you select LDAP or Custom Authentication. |
Specify the user name of a record in the directory with sufficient permissions to read any user's information and do any necessary administration. This user provides the initial binding of the LDAP directory with the Application Object Manager when a user requests the login page, or else anonymous browsing of the directory is required. You enter this parameter as a full distinguished name (DN), for example You must implement an application user. |
|
Data Sources This option appears if you select LDAP or Custom Authentication. |
Specify the password for the user defined by the Application User Distinguished Name parameter. In an LDAP directory, the password is stored in an attribute. The application password must be encrypted. Clear text passwords are not supported for the LDAPSecAdpt named subsystem. For more information, see "Changing Encrypted Passwords Using the Siebel Management Console". |
|
Data Sources This option appears if you select LDAP or Custom Authentication. |
Specify the base distinguished name, which is the root of the tree under which users of this Siebel application are stored in the directory. Users can be added directly or indirectly after this directory. For example, a typical entry for an LDAP server might be: BaseDN = "ou=people, o=domain_name" where: |
|
Custom Library |
Data Sources This option appears if you select Custom Authentication. |
Name of the custom security adapter implementation. For example, custsecadpt in the case of custsecadpt.so, custsecadpt.dll and so on. Do not give the file extension. |
SQL Style of Database |
Data Sources This option appears if you select Database or Custom Authentication. |
Specify the SQL style for your Siebel database. Specify one of the following:
|
Database Service Name |
Data Sources This option appears if you select Database Authentication. |
The database name:
|
Table Owner |
Data Sources This option appears if you select Database Authentication. |
The table owner for the database. |
CRC Checksum |
Data Sources This option appears if you select Custom Authentication and only if the Custom Library parameter is Not Null. |
Provide the value of the checksum performed on the applicable security adapter library (DLL). This value, applicable for the Siebel Server only, ensures that each user accesses the Siebel database through the correct security adapter. If this field is empty or contains the value 0 (zero), then no checksum validation is performed.If you upgrade your version of Siebel Business Applications, then you must recalculate the checksum value and replace the value in this field. For more information, see "Configuring Checksum Validation". |
Credentials Attribute |
Data Sources This option appears if you select LDAP or Custom Authentication. |
Specify the attribute type that stores a database account. For example, if Credentials Attribute is set to dbaccount, then when a user with user name HKIM is authenticated, the security adapter retrieves the database account from the dbaccount attribute for HKIM. This attribute value must be of the form If you implement LDAP security adapter authentication to manage the users in the directory through the Siebel client, then the value of the database account attribute for a new user is inherited from the user who creates the new user. The inheritance is independent of whether you implement a shared database account, but does not override the use of the shared database account. |
Hash Algorithm |
Data Sources This option appears if you select LDAP or Custom Authentication. |
Specify the hash algorithm to be used for password hashing. Choose one of the following:
|
Hash DB Password |
Data Sources This option appears if you select LDAP or Custom Authentication. |
Select this check box to specify password hashing for database credentials passwords. |
Hash User Password |
Data Sources This option appears if you select LDAP or Custom Authentication. |
Select this check box to specify password hashing (using the hashing algorithm specified using the Hash Algorithm parameter) for user passwords. For more information, see "About Password Hashing". |
Password Attribute Type |
Data Sources This option appears if you select LDAP or Custom Authentication. |
Specify the attribute type under which the user's login password is stored in the directory. The LDAP entry must be userPassword. |
Propagate Change |
Data Sources This option appears if you select LDAP or Custom Authentication. |
Select this check box to allow administration of the directory through Siebel Business Applications UI. When an administrator then adds a user or changes a password from within the Siebel application, or a user changes a password or self-registers, the change is propagated to the directory. A non-Siebel security adapter must support the SetUserInfo and ChangePassword methods to allow dynamic directory administration. |
Roles Attribute (optional) |
Data Sources This option appears if you select LDAP or Custom Authentication. |
Specify the attribute type for roles stored in the directory. For example, if Roles Attribute is set to roles, then when a user with user name HKIM is authenticated, the security adapter retrieves the user's Siebel responsibilities from the roles attribute for HKIM. Responsibilities are typically associated with users in the Siebel database, but they can be stored in the database, in the directory, or in both. The user gets access to all of the views in all of the responsibilities specified in both sources. However, it is recommended that you define responsibilities in the database or in the directory, but not in both places. For details, see "Configuring Roles Defined in the Directory". |
Shared Databases Account Distinguished Name (fully qualified domain name) |
Data Sources This option appears if you select LDAP or Custom Authentication. |
Specify the absolute path (not relative to the Base Distinguished Name) of an object in the directory that has the shared database account for the application. If not set, then the database account is looked up in the user's DN as usual. If set, then the database account for all users is looked up in the shared credentials DN instead. The attribute type is determined by the value of the Credentials Attribute parameter. For example, if the Shared Database Account Distinguished Name parameter is set to |
Shared DB User Name |
Data Sources This option appears if you select LDAP or Custom Authentication. |
Specify the user name to connect to the Siebel database. You must specify a valid Siebel user name and password for the Shared DB User Name and Shared DB Password parameters. Specify a value for this parameter if you store the shared database account user name as a parameter rather than as an attribute of the directory entry for the shared database account. To use this parameter, you can use an LDAP directory. For more information, see "Storing Shared Database Account Credentials as Profile Parameters". |
Shared DB Password |
Data Sources This option appears if you select LDAP or Custom Authentication. |
Specify the password associated with the Shared DB User Name parameter. |
Security Adapter Mapped User Name |
Data Sources This option appears if you select LDAP or Custom Authentication. |
If this check box is selected, then when the user key name passed to the security adapter is not the Siebel User ID, then the security adapter retrieves the Siebel User ID for authenticated users from an attribute defined by the Siebel Username Attribute parameter. |
Siebel Username Attribute |
Data Sources This option appears if you select LDAP or Custom Authentication, and if the Security Adapter Mapped User Name check box is selected. |
If set, then this parameter is the attribute from which the security adapter retrieves an authenticated user's Siebel User ID. If not set, then the user name passed in is assumed to be the Siebel User ID. |
SSL |
Data Sources This option appears if you select LDAP or Custom Authentication. |
Specifies whether or not to enable Secure Sockets Layer for socket connections to the host. |
Enable SSL |
Data Sources This option appears if you select LDAP or Custom Authentication. |
Specifies whether or not TLS is used for communication between the LDAP security adapter and the directory. If this check box is not selected, then TLS is not used. To use TLS, the value of this parameter must be the absolute path of the wallet, generated by Oracle Wallet Manager, that contains a certificate for the certificate authority that is used by the LDAP server. |
Data Sources This option appears if you select LDAP or Custom Authentication. |
Specifies that the security adapter uses Web Single Sign-On (Web SSO) authentication rather than security adapter authentication. Note that you must disable Web SSO when you configure Siebel Gateway initially (first time running Siebel Management Console). Then after you complete Siebel Gateway initial configuration and enterprise deployment, you must add the SSO parameters retrospectively using Siebel Server Manager. For more information, see Siebel System Administration Guide. |
|
Trust Token |
Data Sources This option appears if you select Web Single Sign-On for LDAP or Custom Authentication. |
Specifies a password to be used with Web Single Sign-On (Web SSO) authentication. |
Wallet Password |
Data Sources This option appears if you select SSL for LDAP or Custom Authentication. |
Specifies the password to open the wallet that contains a certificate for the certificate authority used by the directory server. Note that you do not have to specify the wallet location when configuring an LDAP security adapter because the wallet file (ewallet.p12) is placed in the trust store location. |
Salt Attribute Type |
Data Sources This option appears if you select LDAP or Custom Authentication. |
Specifies the attribute that stores the salt value if you have chosen to add salt values to user passwords. The default attribute is title. |
Salt User Password |
Data Sources This option appears if you select LDAP or Custom Authentication. |
Select this check box to specify that salt values are to be added to user passwords before they are hashed. This parameter is ignored if the Hash User Password parameter is set to FALSE. Adding salt values to user passwords is not supported if you are using Web Single Sign-On. For more information on salt values, see "About Password Hashing". |
Data Sources This option appears if you select LDAP or Custom Authentication. |
Specifies the attribute type under which the user's login name is stored in the directory. For example, if User Name Attribute Type is set to uid, then when a user attempts to log in with user name HKIM, the security adapter searches for a record in which the uid attribute has the value HKIM. This attribute is the Siebel user ID, unless the Security Adapter Mapped User Name check box is selected. If you implement an adapter-defined user name (the Security Adapter Mapped User Name check box is selected), then you must set the OM - Username BC Field parameter appropriately to allow the directory attribute defined by User Name Attribute Type to be updated from the Siebel client. For more information about implementing an adapter-defined user name, see "Configuring Adapter-Defined User Name". |
|
Enterprise Security Authentication Profile (Security Adapter Mode) |
Basic Information |
Specify the type of authentication you are using.
If you implement a custom, non-Siebel security adapter, then you must configure your adapter to interpret the parameters used by the Siebel adapters if you want to use those parameters. |
Security Adapter Name (named subsystem) |
Basic Information |
The chosen security adapter.
|
Database Security Adapter Data Source |
Basic Information This option appears if you select Database Authentication. |
Select the security adapter data source. |
Database Security Adapter Propagate Changes |
Basic Information This option appears if you select Database Authentication. |
Specify whether to propagate changes for the security adapter. Select this option to allow administration of credentials in the database through Siebel Business Applications. When an administrator then adds a user or changes a password from within a Siebel application or a user changes a password or self-registers, the change is propagated to the database. For Siebel Developer Web Client, the SecThickClientExtAutent system preference must also be set to True. For details, see "Setting a System Preference for Developer Web Clients". |
Authorization Roles (comma-separated) |
Basic Information |
Specify one or more authorization roles (which will be checked against the users logging in to the application). The default value is Siebel Administrator. This setting applies whether you are implementing security adapter authentication or Web SSO authentication. |
User Name |
Testing |
Specify the user name for testing authentication under the specified authentication system. |
Password |
Testing |
Specify the password for the user account used for testing. |